Home / cloud-computing / AWS Certified Solutions Architect - Associate / Cheat Sheet
AWS Certified Solutions Architect - Associate· Exam reference card · 2026 · Edureify AI
AWS Certified Solutions Architect - Associate

AWS Certified Solutions Architect - Associate Cheat Sheet

AWS SAA-C03: Every Question Is a Cost-Reliability-Security Trade-off

The exam doesn't test AWS feature lists. It tests whether you can architect the most appropriate solution given specific constraints.

Check Your Readiness →
Among the harder certs
Avg: Approximately 65–70%
Pass: 750 / 1000
Most candidates understand AWS Certified Solutions Architect - Associate concepts — and still fail. This exam tests how you apply knowledge under pressure.
Core Framework

The AWS Well-Architected Framework Decision Lens

Every SAA-C03 question has one most appropriate answer. The differentiator is usually cost vs. resilience vs. operational complexity. Read each question for constraint keywords: cost-effective, highly available, least operational overhead, or most secure.

  1. 01
    Operational Excellence — Automate operations, design for failure
  2. 02
    Security — Apply least privilege, encrypt at rest and in transit
  3. 03
    Reliability — Use multi-AZ, auto-scaling, and health checks
  4. 04
    Performance Efficiency — Right-size, use managed services, cache aggressively
  5. 05
    Cost Optimization — Delete unused resources, use Reserved/Spot instances correctly
Scenario Traps

Wrong instinct vs correct approach

An application needs to handle sudden traffic spikes cost-effectively
✕ Wrong instinct

Provision EC2 instances to handle peak load at all times

✓ Correct approach

Use Auto Scaling with On-Demand and Spot Instances, or Lambda for event-driven workloads — pay for what you use, not peak capacity

A database needs to remain available if the primary AZ fails
✕ Wrong instinct

Create a Read Replica in another AZ for failover

✓ Correct approach

Enable RDS Multi-AZ deployment — it provides synchronous replication and automatic failover; Read Replicas are asynchronous and not for failover

Sensitive data must be encrypted and access must be audited
✕ Wrong instinct

Enable S3 server-side encryption and that's sufficient

✓ Correct approach

Use KMS for key management, enable CloudTrail for API auditing, and implement S3 bucket policies with explicit deny for unauthorized access

Quick Rules

Know these cold

  • Read the constraint first — ost, availability, security, or operational overhead
  • Multi-AZ = HA/failover; Read Replicas = read scaling — never swap these
  • Least privilege — AM roles over IAM users, resource-level policies where possible
  • Managed services reduce operational overhead — prefer them unless control is required
  • Stateful = Security Groups; Stateless = NACLs
  • ElastiCache for read caching; CloudFront for static content delivery
  • VPC endpoints keep traffic off the public internet for AWS services
Self Check

Can you answer these without checking your notes?

In this scenario: "An application needs to handle sudden traffic spikes cost-effectively" — what should you do first?
Use Auto Scaling with On-Demand and Spot Instances, or Lambda for event-driven workloads — pay for what you use, not peak capacity
In this scenario: "A database needs to remain available if the primary AZ fails" — what should you do first?
Enable RDS Multi-AZ deployment — it provides synchronous replication and automatic failover; Read Replicas are asynchronous and not for failover
In this scenario: "Sensitive data must be encrypted and access must be audited" — what should you do first?
Use KMS for key management, enable CloudTrail for API auditing, and implement S3 bucket policies with explicit deny for unauthorized access
Failure Patterns

Common Exam Mistakes — What candidates get wrong

Over-engineering solutions when least operational overhead is required

When the question asks for least operational overhead, managed services (RDS over self-managed DB, Fargate over EC2, API Gateway over custom routing) are almost always correct.

Confusing RDS Multi-AZ with Read Replicas

Multi-AZ is for high availability and disaster recovery — it provides a standby, not a read endpoint. Read Replicas are for read scaling. These are frequently swapped in performance vs. HA questions.

Using S3 pre-signed URLs when CloudFront signed URLs are needed

For distributing private content from S3 at scale with CDN benefits, CloudFront with signed URLs or signed cookies is correct. S3 pre-signed URLs bypass CloudFront and don't scale efficiently.

Applying security groups when NACLs are the right tool

Security groups are stateful and apply at the instance level. NACLs are stateless and apply at the subnet level. For blocking specific IPs across a subnet, NACLs are the right tool.

Choosing EC2 when Lambda or Fargate fits the workload

For unpredictable, short-duration workloads, serverless (Lambda) or containers (Fargate) are more cost-effective and operationally efficient. EC2 is correct for persistent, predictable, long-running workloads.

Misidentifying the right S3 storage tier

S3 Standard for frequent access, S3-IA for infrequent, S3 Glacier for archival. Candidates use Standard when IA would be more cost-effective, or use Glacier when retrieval speed makes it impractical.

AWS architecture is about trade-offs, not feature knowledge. Test whether you can make the right call under constraints.

Start Diagnostic Test → View all exams